The rule "GCP Service Account Deletion" is designed to detect instances of service account deletions in Google Cloud Platform (GCP), which is critical for maintaining security and operational integrity. Service accounts are non-human accounts necessary for applications and VM instances to authenticate and interact with APIs securely. If an adversary manages to delete a service account, this could lead to disruption in operations, unauthorized access, and potential exploitation of resources. This detection rule monitors GCP audit logs specifically for successful deletion actions related to service accounts. It raises alerts on such deletions to facilitate timely investigations into potential malicious activities. The rule provides an overview of investigation steps, suggestions to mitigate false positives, and remediation actions in the event of unauthorized deletions. Organizations are encouraged to verify the intent behind deletions and to utilize the GCP "undelete" feature if necessary. The integration with Filebeat or similar tools is required to track and respond to these events effectively.